[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6198) Authorization for extensions

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6198) Authorization for extensions
From: michael@stroeder.com
Date: Tue, 7 Jul 2009 09:25:10 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Howard Chu wrote:
> Michael Ströder wrote:
>> hyc@OpenLDAP.org wrote:
>>> Full_Name: Howard Chu
>>> Version: HEAD/2.5
>>> OS:
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (76.91.220.157)
>>> Submitted by: hyc
>>>
>>>
>>> The access control mechanism needs to be extended to control actions,
>>> not just
>>> objects, to control who may use various LDAP Controls and Extended
>>> Operations.
>>
>> +1
>>
>>> E.g.
>>>    access to control=<oid>  by<who>
>>>    access to op=<operation or oid>  by<who>
>>                    ^^^^^^^^^
>> What is "operation" supposed to be? I'd prefer only to allow "oid" since
>> OIDs are the only identifiers clearly specified in RFCs and I-Ds.
> 
> Ugh, no. There's no way any sysadmin is going to remember what each OID
> means.

There are tools to display them:
http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/??base

There also could be GUI tools to display ACLs to humans.

> Each exop will be given a "friendly name" like WhoAmI, ModifyPwd, 
> etc.

Who maintains the list of friendly names? Yes, the OpenLDAP project can
maintain a proprietary list like all other LDAP vendors do. :-(
Probably that's another topic for cross-vendor coordination...

Ciao, Michael.

Prev by Date: Re: (ITS#6198) Authorization for extensions
Next by Date: Re: (ITS#6198) Authorization for extensions
Index(es):
- Chronological
- Thread